Integrity check optimization systems and methods in live connectivity frames

ABSTRACT

A method, a network element, and a network include determining an authentication mechanism between two nodes in a network path; operating the network path; performing connectivity check between the two nodes in the network path; and authenticating specific frames in the connectivity check between the two nodes with the authentication mechanism responsive to the specific frames affecting a state of the network path. The frames can be Bidirectional Forwarding Detection (BFD), Continuity Check Messages (CCMs), etc. Advantageously, the method, network element, and network reduce the computational load of providing authentication while maintaining secure authentication for important frames, i.e., ones that affect the state of the network path.

FIELD OF THE DISCLOSURE

The present disclosure relates generally to networking systems andmethods. More particularly, the present disclosure relates to integritycheck optimization systems and methods in live connectivity frames suchas Bidirectional Forwarding Detection (BFD) control packets in RFC 5880and RFC 5881 or Continuity Check Messages (CCM) in IEEE 802.1ag or ITU-TRecommendation Y.1731.

BACKGROUND OF THE DISCLOSURE

In pure Layer 2 and Multiprotocol Label Switching (MPLS) networks (whichis Layer 2+ or sometimes referred to as Layer 2.5), continuitytechniques exist for detecting failures or implementing other changes inthe data path. The Internet Architecture Board (IAB) describes an attackon the core routing infrastructure as an ideal attack that would inflictthe greatest amount of damage. It recommends that live connectivityprotocols protect their frames from third party intrusion attempts byauthenticating all of them. However, trying to authenticate these framesis very resource consuming. Most conventional systems have no supportfor cryptography in the data path. Moreover, performing integrity checkon each and every continuity frame is expensive, both from a resourceand time perspective. It eliminates implementation of the solution insoftware. Implementation of the solution in hardware would require forcryptography in hardware which will make the solution expensive and notcompatible with currently deployed systems. Continuity techniques suchas BFD and CCMs require message transmission at a high frequency (e.g.,3.3 ms, etc.) to detect the failure of the network path. RFC 6862,“Keying and Authentication for Routing Protocols (KARP) Overview,Threats, and Requirements,” (March 2013), the contents of which areincorporated by reference herein, states that BFD protocol needs beprotected from replay attacks and that an integrity check associatedwith a message fails if an attacker tries to replay the message with adifferent origin.

Performing the computation of the hash for an integrity check thereforehas to be performed in software even when hardware is used for liveconnectivity verification. This is simply a high cost and complexity ofimplementation without adding to the sanctity of the connection.

BRIEF SUMMARY OF THE DISCLOSURE

In an exemplary embodiment, a method includes determining anauthentication mechanism between two nodes in a network path; operatingthe network path; performing connectivity check between the two nodes inthe network path; and authenticating specific frames in the connectivitycheck between the two nodes with the authentication mechanism responsiveto the specific frames affecting a state of the network path. The methodcan further include transmitting other frames in the connectivity checkbesides the specific frames without the authentication mechanism. Themethod can further include operating the network path as pure Layer-2 orMultiprotocol Label Switching (MPLS) with Operations, Administration,and Maintenance (OAM) mechanisms, wherein the connectivity check is partof the OAM mechanisms. The connectivity check can include BidirectionalForwarding Detection (BFD), and the specific frames can include one ofBFD control packets and BFD echo packets predetermined to affect thestate of the network path. The connectivity check can includeBidirectional Forwarding Detection (BFD), and the specific frames caninclude BFD control packets with a P or an F flag enabled therein, andthe method can further include enabling an A flag in the BFD controlpackets of the specific frames and using the authentication mechanism.The connectivity check can include Bidirectional Forwarding Detection(BFD), and the specific frames can include one of BFD control packetsand BFD echo packets indicating a Remote Defect Indication (RDI), anAlarm Indication Signal (AIS), and a change in operating parameters. Theconnectivity check can include IEEE 802.1ag-2007 or G.8013/Y.1731, andthe specific frames can include Continuity Check Message (CCM) ProtocolData Units (PDUs) predetermined to affect the state of the network path.The authentication mechanism can be performed in software at the twonodes. The specific frames can include any frames in any of OpenShortest Path First (OSPF) [RFC2328], Intermediate System-IntermediateSystem (IS-IS) [RFC1195], and Routing Information Protocol (RIP)[RFC2453] predetermined to affect the state of the network path.

In another exemplary embodiment, a network element includes one or moreports communicatively coupled to an end node in a network path; and acontroller configured to: determine an authentication mechanism with theend node; cause the network path to operate with the end node;performing connectivity check with the end node in the network path; andauthenticate specific frames in the connectivity check with the end nodewith the authentication mechanism responsive to the specific framesaffecting a state of the network path. In yet another exemplaryembodiment, a network includes a first node; and a second nodecommunicatively coupled to the first node and forming a network pathoperating pure Layer-2 or Multiprotocol Label Switching (MPLS) withOperations, Administration, and Maintenance (OAM) mechanisms; wherein aplurality of frames are exchanged between the first node and the secondnode as part of the OAM mechanisms, and the plurality of frames areclassified as one of affecting a state of the network path or notaffecting the state of the network path; and wherein the first node andthe second node are configured to authenticate the plurality of framesclassified as affecting a state of the network path and to notauthenticate the plurality of frames classified as not affecting thestate of the network path. The plurality of frames can utilizeBidirectional Forwarding Detection (BFD).

BRIEF DESCRIPTION OF THE DRAWINGS

The present disclosure is illustrated and described herein withreference to the various drawings, in which like reference numbers areused to denote like system components/method steps, as appropriate, andin which:

FIG. 1 is a network diagram of an exemplary Ethernet network configuredwith Operations, Administration, and Maintenance (OAM) mechanisms;

FIG. 2 is a block diagram of a Bidirectional Forwarding Detection (BFD)control packet;

FIG. 3 is a block diagram of an exemplary Continuity Check Message (CCM)protocol data unit (PDU);

FIG. 4 is a flowchart of an integrity check optimization method; and

FIG. 5 is a block diagram of an exemplary implementation of a networkelement for the nodes in the Ethernet network of FIG. 1.

DETAILED DESCRIPTION OF THE DISCLOSURE

In various exemplary embodiments, a method, a network element, and anetwork include determining an authentication mechanism between twonodes in a network path; operating the network path; performingconnectivity check between the two nodes in the network path; andauthenticating specific frames in the connectivity check between the twonodes with the authentication mechanism responsive to the specificframes affecting a state of the network path. The frames can beBidirectional Forwarding Detection (BFD), Continuity Check Messages(CCMs), etc. Advantageously, the method, network element, and networkreduce the computational load of providing authentication whilemaintaining secure authentication for important frames, i.e., ones thataffect the state of the network path.

Referring to FIG. 1, in an exemplary embodiment, a network diagramillustrates an exemplary Ethernet network 100 configured withOperations, Administration, and Maintenance (OAM) mechanisms. Forillustration purposes, the Ethernet network 100 includes threeinterconnected network elements 102, 104, 106. The Ethernet network 100includes connectivity checks in the OAM mechanisms. In an exemplaryembodiment, the connectivity checks can include BFD packets such asdefined in RFC 5880, “Bidirectional Forwarding Detection (BFD)” (June2010) and RFC 5881, “Bidirectional Forwarding Detection (BFD) for IPv4and IPv6 (Single Hop)” (June 2010), the contents of each areincorporated by reference herein. In another exemplary embodiment, theconnectivity checks can include CCMs such as defined in IEEE 802.1ag(2007), “IEEE Standard for Local and Metropolitan Area Networks VirtualBridged Local Area Networks Amendment 5: Connectivity Fault Management,”or ITU-T Recommendation G.8031/Y.1731, “OAM functions and mechanisms forEthernet based networks” (November 2013), the contents of each areincorporated by reference herein. The OAM mechanisms as described hereincan include BFD, IEEE 802.1ag, or G.8031/Y.1731. For example, BFDpackets can be used in when the Ethernet network 100 is MPLS-based andCCMs can be used when the Ethernet network 100 is pure Layer-2. Theintegrity check optimization systems and methods described hereincontemplate operation with BFD packets, CCMs, or any other type of liveconnectivity check techniques.

Fundamental to the OAM mechanisms is the concept of a Maintenance Entity(ME) or a Maintenance Association (MA), which is the identified networktransport construct spanning the various network nodes underlying agiven service or set of services. The OAM mechanisms relies onwell-defined messages exchanged between the network elements,specifically and in particular each Maintenance End Point (MEP) thatprovides origination and termination of the service transport path(s)for a ME or MA. In the example of FIG. 1, the network elements 102, 104are defined as a MEG End Point (MEP). In the OAM mechanisms, a MEP isconfigured to source and sink BFD packets, CCMs, etc., i.e. source andsink within a single configured MD (Maintenance Domain), pass-thru if MDLevel is higher than the configured level for the MEP, and discard if MDLevel is lower. The MEPs 102, 104 are also configured to participate inperformance monitoring and live connectivity checks. In a point-to-pointnetwork such as illustrated in FIG. 1, there are two MEP nodes at theendpoints, and in other configurations as are also contemplated by theintegrity check optimization systems and methods, there may be multipleMEP nodes. Also, a domain having one or more Maintenance IntermediatePoint (MIP) nodes that may be bounded by a plurality of MEP nodes. Inorder that BFD packets, CCMs, etc. flows are appropriately filtered sothat they are processed only by the intended domain's nodes, the MEP/MIPpopulation of the Ethernet network 100 is configured appropriately.

The network element 106 is defined as a MIP which resides between MEPs,i.e. the MIP 106 is communicatively coupled between the MEPs 102, 104. AMIP is configured to process and forward BFD packets, CCMs, etc., butdoes not initiate BFD packets, CCMs, etc. As described herein, MEP andMIP terminology is used for nodes present at endpoints and intermediatepoints, respectively, in the Ethernet network 100. Also, Ethernet Pathterminology is used to denote a point-to-point Ethernet connectionbetween two nodes, e.g. the connection being built using Virtual LocalArea Network (VLAN) cross connection or unicast Ethernet Media AccessControl (MAC) plus VLAN connection. Additionally, other types ofEthernet paths, such as, for example, Provider Backbone Bridging-TrafficEngineering (PBB-TE), MPLS-TP, and the like are also contemplated by theintegrity check optimization systems and methods described herein.Various terminology utilized herein, such as MEP, MIP, etc. is common toeach of IEEE 802.1ag-2007, G.8013/Y.1731, BFD, etc. IEEE 802.1ag-2007utilizes the term Maintenance Association (MA) whereas G.8013/Y.1731 andBFD utilize Maintenance Entity Group (MEG) for the same construct. Thoseof ordinary skill in the art will recognize while described herein asthe MEG 108, the MEG 108 could also be referred to as the MA 108.Generally, the MEG 108 and MA relate to an administrative groupingrelative to the MEPs 102, 104. Additionally, IEEE 802.1ag-2007 defines aMEP as a Maintenance association End Point whereas G.8013/Y.1731 and MEFdefine a MEP as a Maintenance Entity Group End Point. In the followingdescription, MEP may be generally referred to as a Maintenance End Pointcovering the constructs of IEEE 802.1ag-2007, G.8013/Y.1731, MEF, BFD,etc.

In one aspect of the OAM mechanisms, BFD packets and CCMs providemechanisms for connectivity verification. Collectively, the BFD packetsand CCMs can be referred to as connectivity check (CC) frames. The CCframes are generally used to verify connectivity of a path. BFD is usedto detect faults between two forwarding engines connected by a link,e.g. between the MEPs 102, 104. It provides low-overhead detection offaults even on physical media that do not support failure detection ofany kind, such as Ethernet, virtual circuits, tunnels and MPLS LabelSwitched Paths. BFD does not have a discovery mechanism; sessions mustbe explicitly configured between the endpoints. BFD may be used on manydifferent underlying transport mechanisms and layers, and operatesindependently of all of these. Therefore, it needs to be encapsulated bywhatever transport it uses. For example, monitoring MPLS LSPs involvespiggybacking session establishment on LSP-Ping packets. Protocols thatsupport some form of adjacency setup, such as OSPF or IS-IS, may also beused to bootstrap a BFD session. These protocols may then use BFD toreceive faster notification of failing links than would normally bepossible using the protocol's own keep alive mechanism. A session mayoperate in one of two modes: asynchronous mode and demand mode. Inasynchronous mode, both endpoints periodically send Hello packets toeach other. If a number of those packets are not received, the sessionis considered down. In demand mode, no Hello packets are exchanged afterthe session is established; it is assumed that the endpoints haveanother way to verify connectivity to each other, perhaps on theunderlying physical layer. However, either host may still send Hellopackets if needed. Regardless of which mode is in use, either endpointmay also initiate an Echo function. When this function is active, astream of Echo packets is sent, and the other endpoint then sends theseback to the sender via its forwarding plane. This is used to test theforwarding path on the remote system.

In an exemplary embodiment, the Ethernet network 100 can include a firstnode (e.g., the MEP 102); and a second node (e.g., the MEP 104)communicatively coupled to the first node and forming a network pathoperating pure Layer-2 or Multiprotocol Label Switching (MPLS) withOperations, Administration, and Maintenance (OAM) mechanisms; wherein aplurality of frames are exchanged between the first node and the secondnode as part of the OAM mechanisms, and the plurality of frames areclassified as one of affecting a state of the network path or notaffecting the state of the network path; and wherein the first node andthe second node are configured to authenticate the plurality of framesclassified as affecting a state of the network path and to notauthenticate the plurality of frames classified as not affecting thestate of the network path. The plurality of frames can utilizeBidirectional Forwarding Detection (BFD).

Referring to FIG. 2, in an exemplary embodiment, a block diagramillustrates a BFD control packet 150. Again, BFD establishes a sessionbetween two network devices to detect failures on the bidirectionalforwarding paths between the devices and provide services for upperlayer protocols. BFD provides no neighbor discovery mechanism. Protocolsthat BFD services notify BFD of devices to which it needs to establishsessions. After a session is established, if no BFD control packet isreceived from the peer within the negotiated BFD interval, BFD notifiesa failure to the protocol, which then takes appropriate measures. Thefollowing table describes the various fields in the BFD control packet150:

Vers version number of the BFD protocol, currently 1 Diag diagnosisword, indicating the reason for the last session status change of thelocal BFD system Sta local status of the BFD P a flag, when parametersare changed, the sender set this flag in the BFD packet, and thereceiver must respond to this packet at once F a flag, this flag must beset in the packet responding to flag P C a forwarding/control separationflag, once this flag is set, control plane variation does not affect theBFD detection. For example, if the control plane is ISIS, when the ISISresets/GR, the BFD can continually monitor the link status A anauthentication flag, if this flag is set, it indicates that the sessionneeds to be authenticated D a query request flag, if this flag is set,it indicates that the sender wishes to adopt a query mode to monitor thelink R preserved bit Detect Mult a detection timeout multiple, it isused in calculating detection timeout time by the detector Length apacket length My Discriminator an identifier for the BFD sessionconnecting to the local side Your Discriminator an identifier for theBFD session connecting to the remote side Desired Min Tx Interval theminimum sending interval of the BFD packet supported by the local sideRequired Min Rx Interval the minimum receiving interval of the BFDpacket supported by the local side Required Min Echo RX the minimumreceiving interval of the Echo packet supported by the Interval localside (it is set to 0 if the local side does not support the Echofunction) Auth Type an authentication type, the current protocolprovides: Simple Password, Keyed MD5, Meticulous Keyed MD5, Keyed SHA1,and Meticulous Keyed SHA1 Auth Length an authentication data lengthAuthentication Date an authentication data area

In addition to the BFD control packet 150, BFD supports BFD echo packetsto provide a fault detection mechanism without the use of the BFDcontrol packet 150. One end sends BFD echo packets to the peer, whichreturns received BFD echo packets back without processing them. No BFDecho packet format is defined, as long as the transmitting end candistinguish between sessions. Each of the BFD control packets 150 or theBFD echo packets are supposed to be authenticated according to RFC 5880and RFC 6862. However, as described herein, this can be a resourceintensive process without much benefit most of the time. The integritycheck optimization systems and methods classify the BFD control packets150 or the BFD echo packets based on whether or not they affect thestate of a network path. For example, the BFD control packets 150 withthe P or F flags will affect the state of the network path, and withoutthese flags, the BFD control packets 150 could be simple HELLO messagecontinuing verification of the network path. The BFD control packets 150can also be configured to relay alarm indication signal (AIS) and remotedefect indicator (RDI) errors between ends, and these would also affectthe state of the network path.

In an exemplary embodiment, the integrity check optimization systems andmethods proposes optimization for integrity check of every continuitycheck frames. The optimization can be achieved by carefully examiningwhich frames affect the state of a network path and authenticating thoseframes only. These frames are state transition frames and generallyindicate a change in the status of the network path. By authenticatingthese particular frames, the sender and receiver can maintain thesanctity of the state of the network path, without the need to performintegrity check on every frame. For example, the BFD control packets 150can only be authenticated (with the A flag set) if the P or F flag isalso set. Otherwise, the BFD control packets 150 are sent withoutauthentication. The integrity check optimization systems and methodsalleviate the need to perform an integrity check on each and everycontinuity check frame, and instead chooses to perform integrity checkon certain frames that affect the state of a network path. Attackingframes that do not affect the state of the network path will have noimpact on the sanctity of the network path. By doing so, most systemsshould be able to implement and support authentication of continuitycheck frames in software or hardware. By enabling integrity check oncertain frames, it enables its implementation on both low end and highend platforms while preserving the sanctity of a connection from thirdparty injection attacks.

A network device should not change the status of the network path unlessit is able to validate these frames for their integrity. These framesare not as frequent as the frames that maintain the status quo. The restof the frames are sent without integrity check enabled. Integrity checkof frames require that they carry a sequence number in the payload ofthe packet. The sequence number could be incremented with every packetor could be incremented for packets that have integrity check enabled.To enable integrity check on the path, keys need to be distributed tothe network elements where the path originates or terminates. There arewell defined mechanisms for the key distribution, including manual keydistribution and while automatic methods are being defined.

CFM includes Continuity Check Messages (CCM) which may generally bereferred to as “heart beat” messages for CFM. That is, CCMs provide amechanism to detect connectivity failures in a Maintenance Entity Group(MEG) or a Maintenance Association (MA). CCMs are multicast messagesthat are confined to a MEG Level or a Maintenance Domain (MD). Thesemessages are unidirectional and do not solicit a response. EachMaintenance End Point (MEP) transmits a periodic multicast CCM inwardtowards the other MEPs. Conventionally, CCM related attributes arestatically configured in IEEE 802.1ag-2007, G.8013/Y.1731, and the MEF.In order to change the attributes, static reconfiguration is required.Also, MEPs are statically configured in IEEE 802.1ag-2007,G.8013/Y.1731, MEF 17, etc. In order to add or remove a MEP from a MEGor a MA, static reconfiguration is also needed.

Referring to FIG. 3, in an exemplary embodiment, a block diagramillustrates an exemplary CCM protocol data unit (PDU) 180. As describedherein, the CCM PDU 180 is multicast from MEPs to all MIPs and MEPsassociated with a given MA/MEG. In an exemplary embodiment, the CCM PDU180 is a G.8013/Y.1731 Ethernet Continuity Check (ETH-CC) PDU.Generally, CCMs refer to the overall PDU whereas the ETH-CC representsthe information contained therein. The ETH-CC function is used forproactive OAM such as to detect loss of continuity (LOC) between anypair of MEPs in a MEG, unintended connectivity between two MEGs(Mismerge), unintended connectivity within the MEG with an unexpectedMEP (Unexpected MEP), and other defect conditions (e.g. Unexpected MEGLevel, Unexpected Period, etc.). Thus, the CCM is applicable for faultmanagement, performance monitoring, or protection switchingapplications. In operation, upon reception, a MEP reports a frame withunexpected ETH-CC information. As described herein, CCM transmission maybe enabled or disabled in a MEG/MA. When CCM transmission is enabled ina MEG/MA, all MEPs are enabled to periodically transmit frames withETH-CC information to all other MEPs in the MEG/MA. The CCM transmissionperiod may be the same for all MEPs in the MEG/MA. When a MEP is enabledto generate frames with ETH-CC information, it also expects to receiveframes with ETH-CC information from its peer MEPs in the MEG/MA.

The CCM PDU 180 may include a MEG Level (MEL) which is a 3-bit fieldcontaining an integer value (0 to 7) that identifies the MEG Level ofthe CCM PDU 180. A Version field is a 5-bit field containing an integervalue that identifies the OAM protocol version. An OpCode is a 1-octetfield containing an OpCode that identifies an OAM PDU type, and in thecase of the CCM PDU 180 is set to 1. The OpCode is used to identify theremaining content of an OAM PDU. A Flag field is an 8-bit fielddependent on the OAM PDU type, and in the case of the CCM PDU 180contains two information elements for Remote Defect Indication (RDI) andPeriod. A first bit of the Flag field (bit 8) is a single bit for RDIwhich is set to 1 to indicate a remote defect, and otherwise is set to0. The last three bits of the Flag field (bits 3 to 1) indicate atransmission period for the CCM PDU 180 as illustrated in the followingtable:

Flags [3:1] Period Value Comments 000 Invalid Value Invalid value forCCM PDUs 001 3.33 ms 300 frames per second 010 10 ms 100 frames persecond 011 100 ms 10 frames per second 100 1 s 1 frame per second 101 10s 6 frames per minute 110 1 min 1 frame per minute 111 10 min 6 frameper hour

Similar to the BFD control packets 150, in an exemplary embodiment, theintegrity check optimization systems and methods can be used with theCCM PDUs 180. Specifically, the CCM PDUs 180 can be sent withauthentication if they affect the state of the network path, e.g.changing the transmission period or transmitting RDI. Note, theauthentication can be provided in the reserved fields of the CCM PDU180.

Referring to FIG. 4, in an exemplary embodiment, a flowchart illustratesan integrity check optimization method 200. The integrity checkoptimization method 200 contemplates operation in the Ethernet network100 between the nodes 102, 104, in a network element 300 (FIG. 5), andthe like. The integrity check optimization method 200 seeks to optimizeauthentication of OAM frames or the like in a network path. Again, mostsystems today have no support for cryptography (hardware) in the datapath or network path. Moreover, performing integrity check on each andevery frame is expensive, both from a resource and time perspective. Iteliminates implementation of the solution in software. Implementation ofthe solution in hardware would require for cryptography in hardwarewhich will make the solution expensive and not compatible with existingnon-compliant systems. To that end, the integrity check optimizationmethod 200 can provide software-based authentication, but on a limitedbasis, i.e., only when needed when the frames will have an impact on thenetwork path. The optimization can be achieved by determining whichframes affect the state of a network path and authenticating thoseframes only. These frames are state transition frames and generallyindicate a change in the status of the network path. By authenticatingthese particular frames, the sender and receiver can maintain thesanctity of the state of the path, without the need to perform integritycheck on every frame. By identifying and sending only certain frames forintegrity check, the computational load is reduced in a way that bothlow-end and high-end systems can enable integrity check. Nodes at bothend have to recognize which frames are enabled for integrity check andperform the integration.

The integrity check optimization method 200 includes determining anauthentication mechanism between two nodes in a network path (step 202).To enable integrity check on the network path, keys need to bedistributed to the two nodes where the path originates or terminates.There are well defined mechanisms for the key distribution, includingmanual key distribution and while automatic methods are being defined.For example, the authentication mechanism can include a simple password,Keyed Message Digest 5 (MD5), Meticulous Keyed MD5, Keyed Secure HashAlgorithm (SHA1), Meticulous Keyed SHA1, and the like. The simplepassword can be a binary string from 1 to 16 bytes in length. Otherembodiments for the authentication mechanism are also contemplated. Theintegrity check optimization method 200 next includes operating thenetwork path (step 204). Here, data is exchanged over the network path.The integrity check optimization method 200 includes performingconnectivity check between the two nodes in the network path (step 206).The performing is done while the network path is operating. As discussedherein, the connectivity check provides OAM mechanisms over the networkpath including live connectivity checks. The connectivity check can alsoaffect the state of the network path by, for example, changingconnectivity intervals, signaling a remote defect indication (RDI),signaling an alarm indication signal (AIS), etc.

The connectivity check can include, without limitation, the BFD controlpackets 150, BFD echo packets, the CCM PDUs 180, and the like.Additionally, the connectivity check can be extended to any frame in anyprotocol which affects a change in the network path, for example, inOSPF [RFC2328], IS-IS [RFC1195], RIP [RFC2453], etc. The integrity checkoptimization method 200 includes authenticating specific frames in theconnectivity check between the two nodes with the authenticationmechanism responsive to the specific frames affecting a state of thenetwork path (step 208). As described herein, various RFCs state:

Routing Protocols (or the transport or network mechanism protectingrouting protocols) should be able to detect and reject replayedintra-session and inter-session messages. Packets captured from onesession must be able to be resent and accepted during a later session(i.e., inter-session replay). Additionally, replay mechanisms must workcorrectly even in the presence of routing protocol packet prioritizationby the router.

There is a specific case of replay attack combined with spoofing thatmust be addressed. Several routing protocols (e.g., OSPF [RFC2328],IS-IS [RFC1195], BFD [RFC5880], RIP [RFC2453], etc.), require allspeakers to share the same authentication and message association key ona broadcast segment. It is important that an integrity check associatedwith a message fail if an attacker has replayed the message with adifferent origin.

The integrity check optimization method 200 seek to address theseconcerns, but in an optimized manner, i.e., authentication only whenrequired. The integrity check optimization method 200 also includestransmitting other frames in the connectivity check besides the specificframes without the authentication mechanism (step 210). As describedherein, it is expected the vast majority of the frames in theconnectivity check will be the other frames which do not requireauthentication. Thus, the overall computation load is reduced whilesecurity is preserved.

Again, the integrity check optimization method 200 has been describedherein with specific reference to BFD (the BFD control packets 150 andthe BFD echo packets) and IEEE 802.1ag-2007/G.8013/Y.1731 (the CCM PDUs180). However, those of ordinary skill in the art will recognize theintegrity check optimization method 200 can be extended to any RoutingProtocol or the transport or network mechanisms protecting routingprotocols. That is, authentication need not be on every frame, just theimportant frames which are defined herein as affecting the state of thenetwork path. These frames can be determined ahead of time and the twonodes can be configured to require authentication on these frames beforetaking any associated action based thereon. The integrity checkoptimization method 200 can also be used in Open Shortest Path First(OSPF) [RFC2328], Intermediate System-Intermediate System (IS-IS)[RFC1195], Routing Information Protocol (RIP) [RFC2453], and the like.Advantageously, the integrity check optimization method 200 allowsdeployment on low-end to high-end systems and does not require specificcryptography hardware since authentication is infrequent and can be donein software without consuming too many resources. Authenticating allframes in software is computationally challenging.

The integrity check optimization method 200 can also include operatingthe network path as pure Layer-2 or Multiprotocol Label Switching (MPLS)with Operations, Administration, and Maintenance (OAM) mechanisms,wherein the connectivity check is part of the OAM mechanisms. Theconnectivity check can include Bidirectional Forwarding Detection (BFD),and the specific frames can include one of BFD control packets and BFDecho packets predetermined to affect the state of the network path. Theconnectivity check can include Bidirectional Forwarding Detection (BFD),and the specific frames can include BFD control packets with a P or an Fflag enabled therein, and the integrity check optimization method 200can further include enabling an A flag in the BFD control packets of thespecific frames and using the authentication mechanism. The connectivitycheck can include Bidirectional Forwarding Detection (BFD), and thespecific frames can include one of BFD control packets and BFD echopackets indicating a Remote Defect Indication (RDI), an Alarm IndicationSignal (AIS), and a change in operating parameters. The connectivitycheck can include IEEE 802.1 ag-2007 or G.8013/Y.1731, and the specificframes can include Continuity Check Message (CCM) Protocol Data Units(PDUs) predetermined to affect the state of the network path. Theauthentication mechanism can be performed in software at the two nodes.The specific frames can include any frames in any of Open Shortest PathFirst (OSPF) [RFC2328], Intermediate System-Intermediate System (IS-IS)[RFC1195], and Routing Information Protocol (RIP) [RFC2453]predetermined to affect the state of the network path.

Referring to FIG. 5, in an exemplary embodiment, a block diagramillustrates an exemplary implementation of a network element 300 for thenodes 102, 104, 106. In this exemplary embodiment, the network element300 is an Ethernet network switch, but those of ordinary skill in theart will recognize the present invention contemplates other types ofnetwork elements and other implementations, such as, for example, alayer two switch integrated within an optical network element. In thisexemplary embodiment, the network element 300 includes a plurality ofblades 302, 304 interconnected via an interface 306. The blades 302, 304are also known as line cards, line modules, circuit packs, pluggablemodules, etc. and refer generally to components mounted within achassis, shelf, etc. of a data switching device, i.e. the networkelement 300. In another exemplary embodiment, the functionality of eachof the blades 302, 304 may be integrated within a single module, such asin the layer two switch integrated within an optical network element.Each of the blades 302, 304 may include numerous electronic devices andoptical devices mounted on a circuit board along with variousinterconnects including interfaces to the chassis, shelf, etc. Twoexemplary blades are illustrated with line blades 302 and control blades304. The line blades 302 generally include data ports 308 such as aplurality of Ethernet ports. For example, the line blade 302 may includea plurality of physical ports disposed on an exterior of the blade 302for receiving ingress/egress connections. Additionally, the line blades302 may include switching components to form a switching fabric via thebackplane 306 between all of the data ports 308 allowing data traffic tobe switched between the data ports 308 on the various line blades 302.The switching fabric is a combination of hardware, software, firmware,etc. that moves data coming into the network element 300 out by thecorrect port 308 to the next network element. “Switching fabric”includes switching units, or individual boxes, in a node; integratedcircuits contained in the switching units; and programming that allowsswitching paths to be controlled.

The control blades 304 include a microprocessor 310, memory 312,software 314, and a network interface 316 to operate within the network100. Specifically, the microprocessor 310, the memory 312, and thesoftware 314 may collectively control, configure, provision, monitor,etc. the network element 300. The network interface 316 may be utilizedto communicate with an element manager, a network management system,etc. Additionally, the control blades 304 may include a database 320that tracks and maintains provisioning, configuration, operational dataand the like. The database 320 may include a forwarding database (FDB)322. In this exemplary embodiment, the network element 300 includes twocontrol blades 304 which may operate in a redundant or protectedconfiguration such as 1:1, 1+1, etc. In general, the control blades 304maintain dynamic system information including Layer two forwardingdatabases, protocol state machines, and the operational status of theports 308 within the network element 300. In an exemplary embodiment,the blades 302, 304 are configured to implement the integrity checkoptimization method 200 as described herein. The network element 300 canbe implemented as the MEPs 102, 104 or the MIP 106 and implement theintegrity check optimization method 200 described herein.

Specifically, the network element 300 can be the MEPs 102, 104 or theMIP 106 based on provisioning and configuration. The network element 300can include one or more ports communicatively coupled to an end node ina network path; and a controller configured to: determine anauthentication mechanism with the end node; cause the network path tooperate with the end node; performing connectivity check with the endnode in the network path; and authenticate specific frames in theconnectivity check with the end node with the authentication mechanismresponsive to the specific frames affecting a state of the network path.The controller can be further configured to transmit other frames in theconnectivity check besides the specific frames without theauthentication mechanism. The controller can be further configured tocause the network path to be operated as pure Layer-2 or MultiprotocolLabel Switching (MPLS) with Operations, Administration, and Maintenance(OAM) mechanisms, wherein the connectivity check is part of the OAMmechanisms. The connectivity check can include Bidirectional ForwardingDetection (BFD), and the specific frames can include one of BFD controlpackets and BFD echo packets predetermined to affect the state of thenetwork path.

The connectivity check can include Bidirectional Forwarding Detection(BFD), and the specific frames can include BFD control packets with a Por an F flag enabled therein, and wherein the controller can be furtherconfigured to: cause an A flag to be enabled in the BFD control packetsof the specific frames and using the authentication mechanism. Theconnectivity check can include Bidirectional Forwarding Detection (BFD),and the specific frames can include one of BFD control packets and BFDecho packets indicating a Remote Defect Indication (RDI), an AlarmIndication Signal (AIS), and a change in operating parameters. Theconnectivity check can include IEEE 802.1ag-2007 or G.8013/Y.1731, andthe specific frames can include Continuity Check Message (CCM) ProtocolData Units (PDUs) predetermined to affect the state of the network path.The authentication mechanism can be performed in software by thecontroller. The specific frames can include any frames in any of OpenShortest Path First (OSPF) [RFC2328], Intermediate System-IntermediateSystem (IS-IS) [RFC1195], and Routing Information Protocol (RIP)[RFC2453] predetermined to affect the state of the network path.

It will be appreciated that some exemplary embodiments described hereinmay include one or more generic or specialized processors (“one or moreprocessors”) such as microprocessors, digital signal processors,customized processors, and field programmable gate arrays (FPGAs) andunique stored program instructions (including both software andfirmware) that control the one or more processors to implement, inconjunction with certain non-processor circuits, some, most, or all ofthe functions of the methods and/or systems described herein.Alternatively, some or all functions may be implemented by a statemachine that has no stored program instructions, or in one or moreapplication specific integrated circuits (ASICs), in which each functionor some combinations of certain of the functions are implemented ascustom logic. Of course, a combination of the aforementioned approachesmay be used. Moreover, some exemplary embodiments may be implemented asa non-transitory computer-readable storage medium having computerreadable code stored thereon for programming a computer, server,appliance, device, etc. each of which may include a processor to performmethods as described and claimed herein. Examples of suchcomputer-readable storage mediums include, but are not limited to, ahard disk, an optical storage device, a magnetic storage device, a ROM(Read Only Memory), a PROM (Programmable Read Only Memory), an EPROM(Erasable Programmable Read Only Memory), an EEPROM (ElectricallyErasable Programmable Read Only Memory), Flash memory, and the like.When stored in the non-transitory computer readable medium, software caninclude instructions executable by a processor that, in response to suchexecution, cause a processor or any other circuitry to perform a set ofoperations, steps, methods, processes, algorithms, etc.

Although the present disclosure has been illustrated and describedherein with reference to preferred embodiments and specific examplesthereof, it will be readily apparent to those of ordinary skill in theart that other embodiments and examples may perform similar functionsand/or achieve like results. All such equivalent embodiments andexamples are within the spirit and scope of the present disclosure, arecontemplated thereby, and are intended to be covered by the followingclaims.

What is claimed is:
 1. A method, comprising: determining anauthentication mechanism between two nodes in a network path; operatingthe network path; performing connectivity check between the two nodes inthe network path; and authenticating specific frames in the connectivitycheck between the two nodes with the authentication mechanism responsiveto the specific frames affecting a state of the network path.
 2. Themethod of claim 1, further comprising: transmitting other frames in theconnectivity check besides the specific frames without theauthentication mechanism.
 3. The method of claim 1, further comprising:operating the network path as pure Layer-2 or Multiprotocol LabelSwitching (MPLS) with Operations, Administration, and Maintenance (OAM)mechanisms, wherein the connectivity check is part of the OAMmechanisms.
 4. The method of claim 1, wherein the connectivity checkcomprises Bidirectional Forwarding Detection (BFD), and the specificframes comprise one of BFD control packets and BFD echo packetspredetermined to affect the state of the network path.
 5. The method ofclaim 1, wherein the connectivity check comprises BidirectionalForwarding Detection (BFD), and the specific frames comprise BFD controlpackets with a P or an F flag enabled therein, and further comprising:enabling an A flag in the BFD control packets of the specific frames andusing the authentication mechanism.
 6. The method of claim 1, whereinthe connectivity check comprises Bidirectional Forwarding Detection(BFD), and the specific frames comprise one of BFD control packets andBFD echo packets indicating a Remote Defect Indication (RDI), an AlarmIndication Signal (AIS), and a change in operating parameters.
 7. Themethod of claim 1, wherein the connectivity check comprises IEEE802.1ag-2007 or G.8013/Y.1731, and the specific frames compriseContinuity Check Message (CCM) Protocol Data Units (PDUs) predeterminedto affect the state of the network path.
 8. The method of claim 1,wherein the authentication mechanism is performed in software at the twonodes.
 9. The method of claim 1, wherein the specific frames compriseany frames in any of Open Shortest Path First (OSPF) [RFC2328],Intermediate System-Intermediate System (IS-IS) [RFC1195], and RoutingInformation Protocol (RIP) [RFC2453] predetermined to affect the stateof the network path.
 10. A network element, comprising: one or moreports communicatively coupled to an end node in a network path; and acontroller configured to: determine an authentication mechanism with theend node; cause the network path to operate with the end node;performing connectivity check with the end node in the network path; andauthenticate specific frames in the connectivity check with the end nodewith the authentication mechanism responsive to the specific framesaffecting a state of the network path.
 11. The network element of claim10, wherein the controller is further configured to: transmit otherframes in the connectivity check besides the specific frames without theauthentication mechanism.
 12. The network element of claim 10, whereinthe controller is further configured to: cause the network path to beoperated as pure Layer-2 or Multiprotocol Label Switching (MPLS) withOperations, Administration, and Maintenance (OAM) mechanisms, whereinthe connectivity check is part of the OAM mechanisms.
 13. The networkelement of claim 10, wherein the connectivity check comprisesBidirectional Forwarding Detection (BFD), and the specific framescomprise one of BFD control packets and BFD echo packets predeterminedto affect the state of the network path.
 14. The network element ofclaim 10, wherein the connectivity check comprises BidirectionalForwarding Detection (BFD), and the specific frames comprise BFD controlpackets with a P or an F flag enabled therein, and wherein thecontroller is further configured to: cause an A flag to be enabled inthe BFD control packets of the specific frames and using theauthentication mechanism.
 15. The network element of claim 10, whereinthe connectivity check comprises Bidirectional Forwarding Detection(BFD), and the specific frames comprise one of BFD control packets andBFD echo packets indicating a Remote Defect Indication (RDI), an AlarmIndication Signal (AIS), and a change in operating parameters.
 16. Thenetwork element of claim 10, wherein the connectivity check comprisesIEEE 802.1ag-2007 or G.8013/Y.1731, and the specific frames compriseContinuity Check Message (CCM) Protocol Data Units (PDUs) predeterminedto affect the state of the network path.
 17. The network element ofclaim 10, wherein the authentication mechanism is performed in softwareby the controller.
 18. The network element of claim 10, wherein thespecific frames comprise any frames in any of Open Shortest Path First(OSPF) [RFC2328], Intermediate System-Intermediate System (IS-IS)[RFC1195], and Routing Information Protocol (RIP) [RFC2453]predetermined to affect the state of the network path.
 19. A network,comprising: a first node; and a second node communicatively coupled tothe first node and forming a network path operating pure Layer-2 orMultiprotocol Label Switching (MPLS) with Operations, Administration,and Maintenance (OAM) mechanisms; wherein a plurality of frames areexchanged between the first node and the second node as part of the OAMmechanisms, and the plurality of frames are classified as one ofaffecting a state of the network path or not affecting the state of thenetwork path; and wherein the first node and the second node areconfigured to authenticate the plurality of frames classified asaffecting a state of the network path and to not authenticate theplurality of frames classified as not affecting the state of the networkpath.
 20. The network of claim 19, wherein the plurality of framesutilize Bidirectional Forwarding Detection (BFD).